Activating Azure Rights Management

Carol Bailey

Applies to: Azure Rights Management, Office 365

When you activate Azure Rights Management (Azure RMS), your organization can start to protect important data by using applications and services that support this information protection solution. Administrators can also manage and monitor protected files and emails that your organization owns. You must enable Rights Management before you can begin to use the information rights management (IRM) features within Office, SharePoint, and Exchange, and protect any sensitive or confidential file.

If you want to learn more about Azure Rights Management before you activate the service—for example, what business problems it solves, some typical use cases, and how it works—see What is Azure Rights Management?


Before you activate Rights Management, make sure that your organization has a service plan that includes Rights Management services. If not, you will not be able to activate Azure RMS.

For more information, see Cloud subscriptions that support Azure RMS.

After you have activated Azure RMS, all users in your organization can apply information protection to their files, and all users can open (consume) files that have been protected by Azure RMS. However, if you prefer, you can restrict who can apply information protection, by using onboarding controls for a phased deployment. For more information, see the Configuring onboarding controls for a phased deployment section in this article.

For instructions how to activate Rights Management from your management portal, select whether you will use the Office 365 admin center (preview or classic), or the Azure classic management portal:

Alternatively, you can use Windows PowerShell to activate Rights Management:

  1. Install the Azure Rights Management Administration Tool, which installs the Azure Rights Management administration module. For instructions, see Installing Windows PowerShell for Azure Rights Management.

  2. From a Windows PowerShell session, run Connect-AadrmService, and when prompted, provide the global administrator account details for your Azure RMS tenant.

  3. Run Enable-Aadrm, which activates the Azure RMS service.

Configuring onboarding controls for a phased deployment

If you don’t want all users to be able to protect files immediately by using Azure RMS, you can configure user onboarding controls by using the Set-AadrmOnboardingControlPolicy Windows PowerShell command. You can run this command before or after you activate Azure RMS.


To use this command, you must have at least version of the Azure RMS Windows PowerShell module.

To check the version you have installed, run: (Get-Module aadrm –ListAvailable).Version

For example, if you initially want only administrators in the “IT department” group (that has an object ID of fbb99ded-32a0-45f1-b038-38b519009503) to be able to protect content for testing purposes, use the following command:

Set-AadrmOnboardingControlPolicy – SecurityGroupObjectId fbb99ded-32a0-45f1-b038-38b519009503

Note that for this configuration option, you must specify a group; you cannot specify individual users.

Or, if you want to ensure that only users who are correctly licensed to use Azure RMS can protect content:

Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $true

When you use these onboarding controls, all users in the organization can always consume protected content that has been protected by your subset of users, but they won’t be able to apply information protection themselves from client applications. For example, they won’t see in their Office clients the default templates that are automatically published when Azure RMS is activated, or custom templates that you might configure. Server-side applications, such as Exchange, can implement their own per-user controls for RMS-integration to achieve the same result.

Next steps

Now that you’ve activated Azure Rights Management for your organization, use the Azure Rights Management deployment roadmap to check whether there are other configuration steps that you might need to do before you roll out Azure Rights Management to users and administrators.

For example, you might want to use custom templates to make it easier for users to apply information protection to files, connect your on-premises servers to use Azure Rights Management by installing the RMS connector, and deploy the Rights Management sharing application that supports protecting all file types on all devices.

Office services, such as Exchange Online and SharePoint Online require additional configuration before you can use their Information Rights Management (IRM) features. For information about how your applications work with Azure Rights Management, see How applications support Azure Rights Management.